Deleting session variables

Sometimes it is necessary to delete session variables. This is easily accomplished with the function session_unregister(). For example, suppose you provide the user with the opportunity to deny the automatic setting of the background color to #8080ff as was done in Listing 1, instead causing the default white background color to be displayed. To illustrate how this is accomplished, I'll rewrite Listing 2, the result of which is shown in Listing 3:

Storing session variables in a cookie

The final concept I'd like to discuss is how to store several parcels of data within cookies on the client machine. Certain browsers place limitations on the number of cookies a domain can store at one time, therefore it becomes necessary to devise other techniques for storing this data. One such technique is to encode all the data into one long string and store it within a single cookie. Not surprisingly, those brilliant PHP developers had the foresight to create a function capable of doing exactly this, namely session_encode(). This function will return a single string containing all of the variable names and matching data, much like you would see appended to a URL. Consider Listing 4 for an example:

This is particularly convenient because you can then store this string
directly within a single cookie. The only thing you must be wary about is the overall cookie size, since most browsers support maximum cookie sizes of only around 5 kilobytes. To ensure the data is not erased (unintentionally or otherwise) by the user, you might want to store this string within a database and store only the session ID in a cookie on the client machine. Or, you could store the SID within the cookie and the encoded string within the database. Just keep security in mind in accordance with the sensitivity of the data being stored on the client browser. Still another alternative is to store the encrypted string in a cookie, and then decrypt it upon retrieval.

Regardless of what you decide to do with the data, you can later "unravel" the string and automatically restore the session variables by using the function session_decode(). Supposing you wanted to later decode $encoded_string:

<?
session_decode($encoded_string);
?>

This not only decodes the string into its respective name/value pairs, but it also makes each a session-variable.

What's next

This article introduced you to PHP's native session-tracking functionality. Details were provided regarding general configuration, strategies (cookies vs. URL rewriting) and PHP's predefined session functionality. To illustrate this useful feature, several examples were provided, giving you a taste of how sessions are used in a typical scenario.

In my next article, I'll expand upon this introduction of session-handling,
focusing on how you can use PHP's session_set_save_handler() function to create customized session-storage functions. This is particularly useful when you would like to use a specific media for storage and retrieval of session information, such as a database. To illustrate this great feature, I'll explain how custom functions can be written which act to incorporate a MySQL database into the session-storage scheme.

W.J. Gilmore
has been developing PHP applications since
1997, and is frequently published on the subject within some of the Web's
most popular development sites. He is the author of 'A Programmer's
Introduction to PHP 4.0' (January 2001, Apress), and is the Assistant
Editorial Director of Web and Open Source Technologies at Apress.